The Ultimate Prompt for Generating a Production-Ready Flask Web App

Posted on by

Large Language Models are great at generating code — but without a strong, opinionated prompt, you often end up with demo apps that fall apart in production.

This article presents a battle-tested “gold standard” prompt for generating a real web application:

  • Secure authentication (Google, Facebook, etc.)
  • Python Flask backend
  • Bootstrap-based multi-page UI
  • MySQL by default, SQLite when appropriate
  • systemd + Nginx deployment
  • Security, migrations, health checks, and sane defaults

The goal is simple:
one prompt → a deployable webapp, not a toy example.

✅ The Prompt (Copy/Paste)

You are a senior full-stack + DevOps engineer. Build a production-ready webapp with secure login.

DEFAULTS (use these unless I explicitly override):
- CSS framework: Bootstrap 5
- App structure: classic multi-page (Jinja templates)
- Database default: MySQL 8 (SQLAlchemy + PyMySQL)
- Optional lightweight alternative: SQLite (only if explicitly selected)
- Auth/session: Flask-Login with server-side sessions (NOT JWT)

FIRST: Ask me ONLY these questions (no code yet):
1) System name (slug + display name)
2) Domain name (e.g. app.example.com)
3) OS target (Ubuntu 22.04/24.04) and deploy user
4) Backend bind port on localhost (default 8000)
5) OAuth providers: Google, Facebook, plus any of: GitHub, Microsoft, Apple
6) Do we also support email+password? (yes/no)
   - If yes: require email verification? (yes/no)
7) Database choice:
   - MySQL 8 (default, production)
   - SQLite (simple deployments / low volume)
8) Do you want to override defaults for:
   - CSS framework
   - App structure
   - Auth strategy
9) UI layout preference: top-nav, sidebar, or both (responsive)
10) Theme: light only, or light/dark toggle
11) Welcome/onboarding page:
    - enabled by default? (yes/no)
    - disable mechanism: global env flag, per-user toggle, or both
12) Demo pages to include (pick 3–6):
    dashboard, profile, settings, admin, docs, pricing, design-system
13) Branding: primary color + logo text

AFTER I ANSWER, GENERATE THE ENTIRE PROJECT as a single cohesive deliverable.

Required deliverables:
A) Concise architecture overview (max ~1 page)
B) A single bash script `setup.sh` that writes the entire project
   (assume project dir exists and venv is activated)
C) `.env.example`, `README.md`, `RUNBOOK.md`
D) Deployment assets:
   - systemd unit running gunicorn on 127.0.0.1:<port>
   - Nginx reverse proxy config
   - deploy scripts: install deps, configure nginx, configure systemd,
     restart/reload, view logs
   - always test nginx config before reload
E) Verification checklist

Backend requirements:
- Flask app factory pattern
- Blueprints: auth, main, settings (and admin if selected)
- SQLAlchemy models + Flask-Migrate/Alembic
- Identical models and migrations for MySQL and SQLite
- SQLite rules:
  - Enable foreign keys via PRAGMA
  - Warn about concurrency limits
- MySQL:
  - pool_pre_ping enabled
  - sane pool sizing defaults
- User model:
  id, email (nullable if OAuth-only), display_name,
  created_at, last_login_at, is_admin, welcome_enabled
- OAuth identities table (provider, provider_user_id, email)
- OAuth via Authlib (or equivalent mature library)
- Account linking/unlinking UI with lockout prevention
- Flask-Login sessions with secure cookies:
  Secure, HttpOnly, SameSite
- ProxyFix for correct behavior behind Nginx
- CSRF protection everywhere (Flask-WTF), logout via POST
- Rate limit auth endpoints
- Safe redirect handling (no open redirects)
- Security headers (prefer Nginx):
  HSTS (when HTTPS), X-Frame-Options, Referrer-Policy, basic CSP
- Health endpoints:
  /healthz (no DB)
  /readyz (DB connectivity)

Frontend/UI requirements (Bootstrap 5 default):
- Multi-page Jinja templates with base layout
- Auth-aware navigation
- Styled flash messages
- Pages:
  1) Welcome page (redirects to dashboard if disabled)
  2) Dashboard (demo widgets/cards)
  3) Profile (edit display name, show connected providers)
  4) Settings (welcome toggle, theme toggle if enabled)
  5) Design-system page showcasing Bootstrap components
  6) Optional admin page (simple user list)
- Error pages: 404 and 500
- Static assets under /static with cache headers via Nginx

Email/password (only if selected):
- Registration and login
- Password hashing using Argon2
- Email verification
- Password reset flow (token + expiry)
- Optional magic-link login (only if explicitly requested)

Quality requirements:
- ruff + black configuration
- Minimal pytest suite:
  - login-required protection
  - CSRF enabled
  - redirect safety
- .editorconfig and .gitignore
- requirements.txt with pinned versions
- Clear local run + deployment instructions

Output rules:
- Do not ask additional questions beyond the list.
- After my answers, output in this order:
  1) Architecture overview
  2) setup.sh
  3) OAuth provider setup steps
  4) Deployment instructions
  5) Verification checklist

Make sensible defaults if answers are missing, and state them clearly.

🔍 Why This Prompt Works (Verbose Explanation)

1. Opinionated Defaults Prevent Garbage Output

LLMs perform best when they don’t have to guess.
Bootstrap, multi-page Flask, Flask-Login, and MySQL remove ambiguity and avoid SPA/JWT overengineering.

You can still override — but only intentionally.

2. Security Is Non-Optional

Most generated apps fail here. This prompt forces:

  • Secure session cookies
  • CSRF everywhere (including logout)
  • OAuth account-linking safety
  • Rate limiting on auth
  • No open redirects
  • Proper proxy handling behind Nginx

This immediately elevates the result from “demo” to “deployable”.

3. SQLite Without Shame (But With Rules)

SQLite is perfect for:

  • Internal tools
  • Single-user apps
  • Edge deployments
  • Simple VPS setups

But the prompt prevents bad habits:

  • Same models
  • Same migrations
  • Explicit concurrency warning
  • Clean upgrade path to MySQL

SQLite becomes a strategic choice, not a shortcut.

4. Deployment Is a First-Class Feature

Instead of “run flask locally”:

  • systemd
  • gunicorn
  • Nginx reverse proxy
  • health checks
  • safe reloads
  • logging via journald

This matches how real services run.

5. setup.sh Forces Coherence

Requiring a single script that writes the entire project:

  • Eliminates missing files
  • Forces consistent paths
  • Makes the result reproducible
  • Avoids “here are 14 snippets” answers

This is a huge quality filter.

6. UI Is Minimal — But Real

No fancy frontend frameworks, but:

  • Real navigation
  • Profile & settings
  • Welcome flow
  • Design system page
  • Admin page option

Enough to validate structure, auth, and UX without bloat.

7. Tests Without Overkill

A tiny pytest suite ensures:

  • Auth protection exists
  • CSRF is actually on
  • Redirects are safe

This catches 80% of real-world bugs with 20% effort.

🧠 Final Thoughts

This prompt is not about generating code fast.
It’s about generating the right shape of system, every time.

You can:

  • Use it as-is
  • Trim it for quick projects
  • Lock it down as a company standard
  • Hand it to junior devs or AI tools safely
0
Development

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.